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^> Botnets are bad m'kay 



Is there anyone here who doesn't know what a 
botnet is? ' 



IF no one here says "yes" 
THEN skip ahead to slide seven. 



Botnets in Practice 



Early worms opened remote backdoors on the 
infected systems. Generally not reachable if system 
is behind a NAT. 

Because most malware authors spent their lives on 
IRC. They adapted existing IRC bots to their 
purposes. 

The current generation of botnets are using HTTP 
which is generally unfiltered on most corporate 
networks where IRC would be. 

Almost no botnets use SSL or do anything at all 
clever. [Storm eDonkey] 



^) So You Own a Botnet... 



You write a network worm which infects millions of 
computers... So now what? 

You have a large distributed computing platform at 
your disposal. " 

Wouldn't it be nice if you had a army of robot slaves 
to do your evil bidding? 



^> How to make money 



You have administrator access to over a million 
computers around the globe; How does one 
monetize this? 

Extortion schemes involving DDOS attacks. 

Sell spamming services to spammers. 

Advertisement click-fraud. 

Identity Theft. 

Corporate/Government Espionage. (Usually small 
targeted attacks.) 



^) Botnet Spread 



Currently the largest attack vector is via Web 
Browsers 

Also same vectors as non-bot worms and viruses: 

Remote Windows Vulnerability (in OS or Web 
Browser) 

Social Engineering (email, IM) 

Bundled with Warez 



^ The Srizbi [Reactor3] Botnet 



The code is based on an older spambot, but with a 
NT Kernel Rootkit wrapped around it. The spamming 
code itself runs from kernelspace. 

Used HTTP for communications to the bot herders: 
Spam templates, Bot updates, and mysterious data 
from user's machines. 

The C&C code was written mostly in Python, with 
some modules written in C++ 

The botnet was operated in several smaller 
segments. With slightly different bots. 

For most of 2008, Srizbi (as well as almost all of the 
major botnets') C&C servers were located at a single 
ISP. 



^k> McColo (AS26780) 



Operated by Russians, Estonian business address, 
incorporated in Delaware, with servers physically 
located in downtown San Jose, CA 

"Customers" were almost entirely all botnet C&C 
servers [Srizbi, Mega-D, Rustock, Pushdo, Warezov, 
Vundo], sites hosting malware (Fake AVs, etc), web 
search hijacking sites, or [spam advertised] 
Pharmacy sites. 

If you wanted to host your server with them as a 
normal customer, there was no way to even contact 
them. 

Depeered by Global Crossing (AS3549) and 
Hurricane Electric (AS6939) on 11-Nov-2008 



^> Brian Krebs [Washington Post] 
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Rogue Security Software 



20S. 72. 169.100 defendyourpe .com 
mycupupdate .com 

secweupd ate center .com _^ 

secureupd ate server com 

webscartrvertools .com 
seeureyourpaymenis .com 

208.72. 168.84 

ie tool 5 update .com ■* 

ie*p lore file .com 



208.72.169.56 , Control server for Torpig/Sinowal Roolkit/Kaylogger 

Responsible for stealing 500k bank, credit accounts ■* 
' over 2.S yearj 



Child Pornography Web sites 




encode 1 .name 



lies 



' yProKy/Anonymizatiori Services ,' proKy.fraud crew, com 

\fiajiscix-bji 



http : / /voices . washingtonpost . com/ security fix/ 2 008/1 1 / the_badness_that_was_mccolo . html 



^> McColo Shutdown 



Nov 11, 2008 16:23:17.994627 EST 




^> McColo Shutdown 



Nov 11, 2008 16:23:17.994627 EST 
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^> McColo Timeline 



2008.04.18 -Alex made first contact with the FBI 
agent with whom FireEye has previously assisted 
with DDoS/Botnet investigations 

2008.04.25 - PCAP traces were gathered from 
current customers who consented to help in 
accordance with the Special Agent's instructions 

2008.06.27 - Pinged the agent for an update, told to 
give more time 

2008.08.22 - The research team realized that the 
problem was so egregious that we need to disclose 
what the situation is. First article published: 

http : / /bloq . f ireeye . com/research/2 08/0 8 /srizbi-and-rust . html 

Srizbi and Rustock are hosted at nearly sequential IPs at McColo... 



^) McColo Timeline 



2008.08.22 - The research team realized that the problem 
was so egregious that we need to disclose what the situation 
is. First article published: 

http: //blog. fireeye.com/research/2 008/08/srizbi-and-rust.html 

Srizbi and Rustock are hosted at nearly sequential IPs at McColo... 

We hoped that this initial article would spurn some law 
enforcement investigation, but it did not happen. We gave it 
a little more time then essentially disclosed everything 

2008.09.23 - Alex complained at MAAWG that no one was 
doing anything about McColo and that all the top botnets 
were being run out of a 1/4 acre in San Jose 

2008.10.19 - FireEye Blog Post: Silent Storm or Silence 
before the Storm? 

http: //blog. fireeye.com/research/2 008/10/storm-just-befo.html 

"Another thing worth noting is the unencrypted version's outbound HTTP 
communication with the host '208.72.169.23' at McColo." 

"Also note that this host is an immediate "IP neighbor" to one of the known Srizbi 
CnC hosts (208. 72.169.22) at McColo" 



^> McColo Timeline 



2008.10.26 - Blog: Rogue.AntiVirus2009 hosted by McColo 

http: //blog. fireeye.com/research/2008/10/rouqeantivirus20 09-hosted-by-mccolo.html 

2008.10.28 - Blog: McColo hosting Srizbi C&C 

http: //blog. fireeye.com/research/2 008/10/mccolo-hostinq-srizbi-cc .html 

2008.10.28 - Blog: McColo hosting W32/Dedler C&C 

http: //blog. fireeye.com/research/2008/10/mccolo-hostinq-w32ded.ler-cc.html 

"It appears they are nice enough to host the C&C for a 2004 
worm known as Dedler. " 

2008.10.28 - Blog: McColo (still) hosting Rustock C&C 

http: //blog. fireeye.com/research/2008/10/mccolo-still-hosting-rustock-cc.html 

"A month ago we wrote that McColo was hosting a Rustock 
Command and Control server on 208. 72. 168. 191. I [Alex] 
wish I could report that Hurricane Electric or Global Crossing, 
their two upstream providers, had stopped routing these 
clowns, but unfortunately, that is not the case. " 



^> McColo Timeline 



2008.10.28 - Blog: More on McColo and Rogues 

http: //blog. fireeye.com/research/2 008/10/more-on-mccolo-and-roques.html 

"There doesn't seem to be a day that goes by that I don't have 
something new to add on McColo. It's not that I am trying to 
target their fine colocation facility and it's not that I have a thing 
against Scotland, it's just that our appliance keeps detecting more 
and more badness coming out of their subnets. " 

2008.11.07 - Blog: Quick nugget on the McColo/Russia/Rustock 
connection 

http: //blog. fireeye.com/research/2008/ll/quick-nuqqet-on-the-russiarustock-connection.html 

2008.11.11 - Blog: McColo shutdown Nov 11, 2008 16:23 EST 

http: //blog. fireeye.com/research/2008/ll/mccolo-shutdown-nov-ll-2 008-1323-est.html 

Thanks to Brian Krebs of the Post throwing some weight around 
with GBLX and HE. Worldwide spam temporarily drops by >50% 



^^) Spam Levels (source: spamcop.net) 



SpamCop Statistics 
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Week 43 Week 44 

I Spam Submitted ■ Reports Sent 



Average Spam : 19.9 messages per second Max Spam: 52.5 messages per second 
Total Spam (last month): 51G74SQG messages 



^^) Spam Levels (source: marshal.com) 
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^> Who's Who (multiple sources) 



Who 


What 


Where 


Nikolai "Kolya-McColo" 

(deceased Sep 2007) 


Founded McColo the ISP 


Moscow, Russia 


Vladimir 


Wrote "Reactor Mailer 3" 
Bot and C&C (aka Srizbi) 


Ukraine 


"SPM" 


Operates Srizbi botnet as 
the company "Elphisoft" 


Ukraine/Russia 


(unknown) 


The other guy operating 
Srizbi 





^> The Srizbi Fallback Mechanism 



If the C&C server is unreachable after retrying for 
about ten minutes. The bot attempts to connect to four 
random DNS names. 

Our first thought was that these were static names that 
the bot herder forgot to register. 

These names are generated off the date (GMT), mod 
three, of the bot's start-up time (generally at boot time). 

The DNS names are deterministically predictable for 
any day in the past or future. 

Bot herder can register the DNS names for today or a 
month from now. v 

Some DNS registers allow for "Taste-testing" a 
domain, registering it for only five days, for US$0.99 
Which is all the time needed to update the botnet with 
new code. 



^> Reversing 



Most of the Srizbi bot samples that we had were 
packed with ASPack. Which just slows down the 
reverse engineer slightly. 

We had some .pcaps of some samples talking to the 
live C&C severs before they went down. And I found 
one which contained an update to the bot binary. 

That update wasn't packed, so I just opened it in 
IDAPro. 



nou 


byte 


ptr [ebp+arg day+3], 


bl ; days nod 3 


nou 


ebx, 


[ebp+arg iteration] 


; range 0:3 


and 


byte 


ptr [ebp+arg_day+3] , 


OFh 


xor 


esi, 


esi 




inc 


ebx 


; range 1 


:k- 



s 



HNL4 


second 


loop: 








nouzx 
lea 


eax, 
ecx, 


byte ptr 
[ebp+esi 


[ebp+arg_day+3] 
tuar sonething] 


nouzx 


edx, 


byte 


ptr 


[ecx] ; 8 bytes of stuff fron aboue 


xor 


eax, 


edx 






inul 


eax, 


ebx 




; dns nane loop iteration 


push 
cdq 


15 






; extend sign of EAX info EDX 


pop 
idiu 


edi 
edi 






; nod 15 


inc 


esi 








cnp 
nou 


esi, 
[ecx 


8 
1, dl 




; renainder nod 15 


jl 


short s 


Loop | 


I 



HNui 


nou eax, 
xor ecx, 


[ebp+arg_that_new_buffer] 
ecx 



a ma 



thirdloop: 

nouzx edx, byte ptr [ebp+ecx+uarsonething] 

nou dl, byte ptr ds:aQwertyuiopasdfghjklzxcubnn[edx] 

nou [eax], dl 

inc eax 

inc ecx 

rnn pr-v B_ 



"qi'iertyuiopasdfghjklzxcubnn" 



Algorithm 



Get current date in days since the unix 
epoch, mod 3 (This is treated as an array of 
four octets in LSB order) 

XOR each nibble [4-bits] of the date with 
each nibble of 0x5BE74IE3 (magic number 
different for each sample), generating an 
eight octet array (64-bits total). 

XOR the least-sig nibble of the date (mod 3) 
with each byte of the new eight octet array. 



The Current Date 



1 3.NOV.2008 - 1 .DEC. 1 969 = 1 4226 days 
14226 = 0x00003792 days 
0x0000379 = {0x92,0x37,0x00,0x00} 
I4.NOV.2008 mod 3 = I3.NOV.2008 
I5.NOV.2008 mod 3 = I3.NOV.2008 
I6.NOV.2008 mod 3 = I6.NOV.2008 
(All dates are 00:00 GMT) 



Algorithm 



The eight octet array (of nibbles), has each 
octet multiplied by 1,2, 3, and 4, mod 1 5; to 
generate each of the four DNS names. 

Each octet, within the 4-bit range through 
1 5, is mapped to a letter from this familiar 
sequence: "qwertyuiopasdfg[...]vbnm" where 
0=='q', I == V, 2=='e', etc. 

The string ".com" is catenated to the end. 







Math 


Review 






0x05 • 


• 2 


= OxOA 


= OxOA 


(mod 


15 


0x05 • 


■ 3 


= OxOF 


= 0x00 


(mod 


15 


0x05 • 


• 4 


= 0x14 


= 0x05 


(mod 


15 



{ |05|03|05|04|0C|05|07|09| } multiply by ... 
multiply by I mod 15 equals { 05 03 05 04 OC 05 07 09 } 
multiply by 2 mod 1 5 equals { | Qa| Q 6 1 0a| 8 1 9 1 0a| OE 1 03 1 } 
multiply by 3 mod 15 equals { 00 09 00 OC 06 00 06 OC } 
multiply by 4 mod 1 5 equals {|o5|oc|o5|oi|o3|o5|od|o6|} 



00 01 02 03 04 05 06 07 08 09 OA OB OCODOE OF 10 



First Multiple |05|03|05|04|oc|05|07|09 

y r y t d y i p ".com 

Second Multiple Ioa|o6 Ioa|o8 |09 Ioa|oe|o3 



.com 



Third Multiple 00 09 00 OC 06 00 06 OC 

qpqduqud ".com' 



Fourth Multiple 05 OC 05 01 03 05 OD 06 



u .com 



Multiplication Table 
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• ( (foo * 2) * 2) = (foo * 4) 
( ( foo * 4 ) * 4 ) = ( foo * 1 ) 

• The third multiple name will only use an alphabet of five 
characters. Because 3 and 5 are factors of 1 5. 



Black-Box Shortcut 



The DNS name calculation is extremely 
linear, it's possible to pre-calculate all of the 
future DNS names with only the knowledge 
of some names and dates.The mystery 



constant is unneeded. 



nished analyzing the binary yet.) 



Remember this identity: 
If (A0Bi=Ci) and (A0B 2 =C 2 ) and (A0A=O) 

C10C2 = A0Bi©A0B2 = Bi©B2 



Black-Box Shortcut 



Remember this identity: 
If (A0Bi=Ci) and (A0B 2 =C 2 ) and (A0A=O) 

C10C2 = A0Bi©A0B2 = Bi©B2 



WeVe going to use: 

Unknowni0Datei = Namei 



Unknowni 



= Name2 



Unknown20Datei = Name3 
To get: Namei©Name2= Datei© 



-(Botl) 
-(Botl) 
■(Bot2) 



So we can: Datei© 2©Name3= Unknown2© 
Which is the new name for Bot2 on te2 



Black-Box Shortcut 


Date 


Botl 


Bot2 


Bot3 Bot4 Bot5 Bot6 Bot7 Bot8 


Nov 13-15 


yrytdyip 


dqsuyaau 


eeqdfypo efwiwygp eifpaqyi fwdfiggq gfdadort gqgtpwdy 


Nov 16-18 


ererseqg 






Nov 19-21 


qrqguqer 






Nov 22-24 


drdfadgq 






Nov 25-27 


prpoqpsy 












Nov 13,14,15 Nov 16,17,18 

yrytdyip © ererseqg — 0x70777777 
0x5354c579 0x2323b2 0e 
Nov 16,17,18 Nov 19,20,21 

ererseqg @ qrqguqer — 0x2 02ddc2d 
0x2 32 3b2 0e 0x030e6e2 3 

etc... 









Black-Box Shortcut 



Date Botl Bot2 Bot3 Bot4 Bot5 Bot6 Bot7 Bot8 



NOV I 3- I 5 yrytdyip dqsuyaau eeqdfypo efwiwygp 



NOV I 9-2 I qrqguqer uqwdqqqd oeaud 



Euquepg yiagf ieq awsaqppi 



■^ 



NOV 22-24 drdfadgq yc 



HSIHi 



NOV 25-27 prpoqpsy qqiapuua gedqwpyr i gr r srpey i giwyuaps i wwqwseea i 



eqeoyrqp 



^ DNS Prophylactic 



We [Fireeye] registered the approximately 250 
DNS names that the Srizbi botnet would use just 
after McColo went down, (none of them had been 
registered yet) 

Pointing these DNS names at a colo box of our 
own, over 100,000 unique IP addresses 
connected within the first 24 hours. And over 
600,000 within the first week. 
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^> Policy Issues (todo List) 



Notification of all of the network administrators for 
all of the source IPs we recorded bots originating 
from. 

Development of procedures for how to coordinate 
large botnet takedowns by network providers. 

DNS blacklisting if similar bot recovery techniques 
are used in the future. 
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^> Questions 



FireEye Blog: 

http ; / /bloq . f ireeye . com / 



C&C Communications 



A typical bot request for a spam template ("Atom") 



GET /g/B5C66E-D701D6-D3012E HTTP/1.1 

Host : dppdrpqd . com 

X-Flags: 

X-TM: 260295 

X-BI: C3CDC5D8D6C6CED89C 

X-PH: 



C&C Communications 



A typical bot request for a spam template ("Atom") 

Request Type 

^^^ , 7g", < 7m'VVr , VVd'VVk","/p" 

GET /g/B5C66E-D701D6-D3012E HTTP/1.1 

Host: dppdrpqd.com ^\. 

X-Flags: ^\ . 

x-tm: 260295 Unique Identity 

X-BI: C3CDC5D8D6C6CED89C f(bot,system) 
X-PH: 



C&C Communications 



A typical bot request for a spam template ("Atom") 



GET /g/B5C66E-D701D6-D3012E HTTP/1.1 
Host : dppdrpqd . com ^^^^ 

X-Flags: ^^^^ Obvious 

X-TM: 260295 

X-BI: C3CDC5D8D6C6CED89C 

X-PH: 



C&C Communications 



A typical bot request for a spam template ("Atom") 



GET /g/B5C66E-D701D6-D3012E HTTP/1.1 

Host : dppdrpqd . com 

X-Flags: . . 

x-tm: 260295 < " Uptime in Minutes 

X-BI: C3CDC5D8D6C6CED89C (last reboot) 

X-PH: 



C&C Communications 



A typical bot request for a spam template ("Atom") 



GET /g/B5C66E-D701D6-D3012E HTTP/1.1 
Host: dppdrpqd.com 

x-nags: o Bot Binary 

x-tm: 260295 <^^^ Version/ID 

X-BI: C3CDC5D8D6C6CED89C Related strings for samples 

v dlj r\ Ytith the same port number 



C&C Communications 



A typical bot request for a spam template ("Atom") 



GET /g/B5C66E-D701D6-D3012E HTTP/1.1 

Host : dppdrpqd . com 

X-Flags: ° ^^^^^_ 

X-TM: 260295 ^^^^^^^^^_ 

X-BI: C3CDC5D8D6C6CED89C^^^^ |\| |d ea 

X-PH: 0< ~— " : 



C&C Communications 



Atypical bot"minidump" upload 

Request Type 

^^^ , 7g", < 7m'VVr'V'/d'VVk";Vp" 

POST /m/10FD3F-8D0D24-67019D HTTP/1.1 

Content-Length : 33712 

X-Flags: 

X-TM: 1560 

X-BI: D9CFD8CDCFC0D6C3C4D9DE9D 

X-PH: 



C&C Communications 



A typical bot"minidump" upload 



No, Wrong 



POST /m/10FD3F-8D0D24-67019D HTTP/1.1 

Content-Length: 33712 

X-Flags: 

X-TM: 1560 

X-BI: D9CFD8CDCFC0D6C3C4D9DE9D 

X-PH: 



Missing Host: 
header 



